On Friday, RMH Franchise Holdings warned that of the 167 Applebee's restaurants it owns and operates, 166 of them suffered a data breach in which point-of-sale systems were infected with malware designed to capture payment cards for anyone who dined at the restaurants.

Infection periods vary by location, but the earliest infections began on Nov. 23, 2017, and none appear to have lasted longer than Jan. 2, the company says. It has not published an estimate of the number of payment cards that hackers compromised.

RMH says it's the second largest Applebee's franchisee as well as "one of the fastest growing casual dining restaurant companies in America."

The company discovered the breach on Feb. 13 and "promptly took steps to ensure that it had been contained," RMH says in a statement. "In addition to engaging third-party cybersecurity experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation. Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again."

Customers' names, credit or debit card numbers, card expiration dates and card verification codes may have been compromised. "Payments made online or using self-pay tabletop devices were not affected by this incident," the company says.

The company says it's set up a help line that customers can call to receive more information about the breach.

Applebee's Restaurants: 166 Infected

RMH's data breach notification includes a list of all affected locations by name and lists the infection period. Here's a breakdown of how many RMH-owned Applebee's were affected in each state:

Alabama: 2

Arizona: 23

Florida: 4

Illinois: 14

Indiana: 21

Kansas: 3

Kentucky: 14

Missouri: 2

Mississippi: 1

Nebraska: 11

Ohio: 44

Oklahoma: 6

Pennsylvania: 1

Texas: 15

Wyoming: 5

RMH says the malware infections have been remediated and that it's safe again to use a payment card at its Applebee's restaurants.

The company has recommended that anyone who dined in one of the Applebee's restaurants it owns and operates keep a close eye on their bank and credit card statements. "If they see an unauthorized charge, guests should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges."

Identity theft experts say that U.S. credit card issuers are required to reimburse the full amount of any fraudulent charges, so long as customers report the charge in a timely manner. "Credit cards are better protected by federal law as to the amount of money that you are responsible for if lost or stolen, and most companies now extend a zero liability policy to customers," according to the Identity Theft Resource Center, a nonprofit U.S. organization that assists data breach victims.

ITRC recommends that at least when traveling, U.S. consumers never use a debit card to pay for anything because any fraud will result in funds immediately disappearing from an account. "It is more difficult and time consuming to resolve fraudulent purchases made with debit cards," ITRC says.

List of 166 Breached Locations

RMH declined to comment on how the breach was discovered, how many cards appear to have been affected, how attackers broke in, what specific steps Applebee's has taken to secure its systems to prevent a recurrence, and whether RMH's Applebee's restaurants use chip-and-PIN card security and if that helped mitigate the breach.

Yet Another Restaurant Chain Breach

RMH's breach means Applebee's joins the ever-growing roster of restaurants that have suffered POS malware infections leading to payment card data being stolen. The spate of restaurant-related breaches seems to have been nonstop since mid-2014, when restaurant chain P.F. Chang's China Bistro warned that a POS malware attack had compromised dozens of its locations.

Since then, numerous other restaurants, including Arby's, Chipotle, Jason's Deli and Wendy's, among many others, have fallen victim to POS malware infections (see 'Where's the Breach?').

Some information security experts recommend that any organization that uses POS terminals should assume they have been breached unless it can demonstrably and repeatedly prove otherwise. But many organizations don't appear to take the threat seriously until after their systems have been breached.

Attackers, however, are not just gunning for POS systems installed in restaurants and other locations, but also POS system providers, which could enable hackers to infect many more systems and harvest many more payment card details at once.

In 2016, Oracle issued an alert about its MICROS point-of-sale hardware and software, used across 330,000 customer sites in 180 countries, warning that it had "detected and addressed malicious code in certain legacy MICROS systems." And many more POS vendors have also been targeted, security experts say.

Start With the Basics

Information security experts have long recommended that corporate IT administrators always ensure they have basic security defenses in place, including segmenting networks, restricting admin-level rights and never allowing any device with a default password to connect to corporate networks (see Solve Old Security Problems First).

But cybersecurity firm Mandiant, part of FireEye, in a report issued last year, warned that too many organizations still fail to put these basic, well-proven security defenses in place.

View of a "flat" retail network that is not segmented. (Source: Mandiant)

The lack of segmentation in particular leaves organizations that handle payment card information at heightened risk of being breached. "Unfortunately, most networks, including those with payment card information, are not segmented," Mandiant says. "The compromise of a single retail location often leads to the compromise of the larger PCI environment, making customer-facing employees in these retail environments the low-hanging fruit sought by attackers."

Editor's note: An earlier version of this story stated that all 167 Applebee's operated by RMH Franchise Holdings were affected by the breach, but the correct figure is 166 restaurants, as one location - in Crestwood, Illinois - was not affected.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.